OpenClaw, Path Traversal, CVE-2026-XXXXX (High)

Listen to this Post

The vulnerability allows an authenticated attacker to read arbitrary files from the Gateway host by manipulating the browser tool’s upload functionality. The server passes user-supplied paths directly to Playwright’s `setInputFiles()` APIs without validating or restricting them to a safe root directory . Attackers can supply absolute paths or path traversal sequences (e.g., ../../etc/passwd) to the vulnerable endpoints. The primary entry points are `POST /tools/invoke` with `{“tool”:”browser”,”action”:”upload”,…}` and `POST /hooks/file-chooser` . When these unvalidated paths reach Playwright, the framework reads the referenced files from the local filesystem and attaches them to a page-level `` element. The file contents can then be exfiltrated through page JavaScript using `FileReader` API or via agent/browser snapshots . Exploitation requires the attacker to reach the Gateway HTTP surface, present valid authentication (bearer token or password), and have the browser tool permitted by policy . In default configurations, the Gateway binds to loopback with a generated token, but exposure increases if operators bind to LAN, use reverse proxies, or tunnels . The vulnerability affects OpenClaw npm package versions before 2026.2.14, including the latest published version 2026.2.13 .
Platform: OpenClaw (npm)
Version: < 2026.2.14
Vulnerability: Path Traversal
Severity: High
date: 2026-02-18

Prediction: 2026-02-25

What Undercode Say:

Analytics:

  • Multiple OpenClaw vulnerabilities fixed in version 2026.2.14 including SSRF in Tlon extension (GHSA-pg2v-8xwh-qhcc) and unsafe hook module handling (GHSA-v6c6-vqqg-w888)
  • Vulnerability reported by @p80n-sec with clear reproduction and impact analysis
  • Fix commit: `3aa94afcfd12104c683c9cad81faf434d0dadf87`
    – Patch confines upload paths to `DEFAULT_UPLOAD_DIR` and rejects traversal attempts

Exploit:

Exploit using curl to read /etc/passwd
curl -X POST http://target:port/tools/invoke \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"tool":"browser","action":"upload","params":{"paths":["/etc/passwd"]}}'
Alternative using path traversal
curl -X POST http://target:port/tools/invoke \
-H "Authorization: Bearer <token>" \
-H "Content-Type: application/json" \
-d '{"tool":"browser","action":"upload","params":{"paths":["../../../../etc/passwd"]}}'

Protection from this CVE:

Upgrade to patched version
npm install [email protected]
Verify installation
npm list openclaw
If unable to upgrade, restrict network exposure
Bind to loopback only in config
echo '{"gateway":{"bindAddress":"127.0.0.1"}}' > config.json
Audit current version
npm audit | grep openclaw

Impact:

  • Arbitrary local file read on Gateway host
  • Confidentiality breach: access to system files, configuration, credentials
  • Increased risk when Gateway exposed beyond loopback
  • No code execution, but file disclosure can enable further attacks

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top